rpms/selinux-policy/devel policy-20060608.patch, 1.47, 1.48 selinux-policy.spec, 1.243, 1.244
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Aug 3 16:50:30 UTC 2006
- Previous message (by thread): rpms/gdm/FC-5 gdm-2.14.10-update-switchdesk-location.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 gdm.spec, 1.152, 1.153 sources, 1.30, 1.31 gdm-2.13.0.4-update-switchdesk-location.patch, 1.1, NONE
- Next message (by thread): rpms/epiphany/FC-5 epiphany.spec,1.100,1.101
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv27604
Modified Files:
policy-20060608.patch selinux-policy.spec
Log Message:
* Thu Aug 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-20
- More fixes for xen
policy-20060608.patch:
global_booleans | 2
global_tunables | 89 ++++++++------
mcs | 3
mls | 9 -
modules/admin/anaconda.te | 10 +
modules/admin/bootloader.te | 6 -
modules/admin/consoletype.te | 11 +
modules/admin/firstboot.te | 5
modules/admin/netutils.te | 10 -
modules/admin/prelink.te | 1
modules/admin/rpm.fc | 2
modules/admin/rpm.if | 4
modules/admin/usermanage.te | 2
modules/kernel/corecommands.fc | 1
modules/kernel/corenetwork.te.in | 5
modules/kernel/devices.fc | 3
modules/kernel/files.fc | 1
modules/kernel/filesystem.if | 21 +++
modules/kernel/filesystem.te | 2
modules/kernel/kernel.if | 75 ++++++++++++
modules/kernel/selinux.if | 18 ++-
modules/kernel/selinux.te | 4
modules/kernel/storage.fc | 1
modules/kernel/terminal.if | 18 +++
modules/services/amavis.te | 7 +
modules/services/apache.te | 1
modules/services/automount.te | 8 +
modules/services/avahi.te | 2
modules/services/bind.fc | 3
modules/services/bluetooth.if | 23 +++
modules/services/bluetooth.te | 7 +
modules/services/clamav.fc | 3
modules/services/clamav.if | 22 +++
modules/services/clamav.te | 20 ---
modules/services/cron.if | 16 ++
modules/services/cups.te | 6 -
modules/services/cyrus.te | 5
modules/services/dovecot.fc | 1
modules/services/dovecot.te | 10 +
modules/services/ftp.te | 2
modules/services/hal.te | 10 +
modules/services/inetd.te | 12 +-
modules/services/ldap.fc | 1
modules/services/ldap.if | 21 +++
modules/services/ldap.te | 2
modules/services/lpd.if | 20 +--
modules/services/mailman.te | 15 ++
modules/services/nis.te | 1
modules/services/nscd.if | 20 +++
modules/services/ntp.te | 2
modules/services/openvpn.te | 8 +
modules/services/pegasus.if | 31 +++++
modules/services/pegasus.te | 5
modules/services/postfix.te | 13 ++
modules/services/postgrey.fc | 2
modules/services/postgrey.if | 19 +++
modules/services/postgrey.te | 20 +++
modules/services/procmail.te | 5
modules/services/radius.fc | 1
modules/services/radius.te | 8 +
modules/services/remotelogin.te | 1
modules/services/samba.te | 6 -
modules/services/setroubleshoot.fc | 11 +
modules/services/setroubleshoot.if | 24 ++++
modules/services/setroubleshoot.te | 146 ++++++++++++++++++++++++
modules/services/spamassassin.te | 4
modules/services/squid.te | 9 -
modules/services/ssh.if | 24 ++++
modules/services/tftp.te | 1
modules/services/xfs.te | 2
modules/services/xserver.if | 22 +++
modules/services/xserver.te | 3
modules/services/zebra.te | 7 +
modules/system/authlogin.if | 3
modules/system/authlogin.te | 1
modules/system/fstools.fc | 1
modules/system/getty.fc | 1
modules/system/getty.te | 3
modules/system/hostname.te | 10 +
modules/system/hotplug.te | 2
modules/system/init.if | 7 -
modules/system/libraries.fc | 4
modules/system/locallogin.te | 1
modules/system/logging.fc | 3
modules/system/logging.if | 6 -
modules/system/logging.te | 9 +
modules/system/lvm.te | 3
modules/system/mount.te | 2
modules/system/selinuxutil.te | 29 ++++
modules/system/setrans.te | 5
modules/system/sysnetwork.te | 1
modules/system/udev.fc | 1
modules/system/udev.te | 4
modules/system/unconfined.fc | 1
modules/system/unconfined.if | 8 -
modules/system/unconfined.te | 13 +-
modules/system/userdomain.if | 221 ++++++++++++++++++++++++-------------
modules/system/userdomain.te | 50 +++-----
modules/system/xen.if | 38 ++++++
modules/system/xen.te | 30 +++--
100 files changed, 1098 insertions(+), 274 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -r1.47 -r1.48
--- policy-20060608.patch 3 Aug 2006 14:47:22 -0000 1.47
+++ policy-20060608.patch 3 Aug 2006 16:50:26 -0000 1.48
@@ -1977,7 +1977,7 @@
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.3.3/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2006-07-14 17:07:14.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/ssh.if 2006-08-03 10:32:50.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/ssh.if 2006-08-03 10:49:34.000000000 -0400
@@ -71,6 +71,7 @@
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
@@ -3077,7 +3077,7 @@
selinux_set_boolean(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.3.3/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2006-07-14 17:07:12.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/xen.if 2006-08-03 10:26:57.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/xen.if 2006-08-03 12:41:40.000000000 -0400
@@ -127,3 +127,41 @@
allow xm_t $1:fifo_file rw_file_perms;
allow xm_t $1:process sigchld;
@@ -3096,10 +3096,10 @@
+#
+interface(`xen_use_fds',`
+ gen_require(`
-+ type xen_t;
++ type xend_t;
+ ')
+
-+ allow $1 xen_t:fd use;
++ allow $1 xend_t:fd use;
+')
+
+########################################
@@ -3115,14 +3115,14 @@
+#
+interface(`xen_dontaudit_use_fds',`
+ gen_require(`
-+ type xen_t;
++ type xend_t;
+ ')
+
-+ dontaudit $1 xen_t:fd use;
++ dontaudit $1 xend_t:fd use;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-07-14 17:07:12.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/xen.te 2006-08-03 10:26:57.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/xen.te 2006-08-03 12:45:18.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.7)
@@ -3130,16 +3130,18 @@
########################################
#
-@@ -70,6 +70,8 @@
+@@ -69,7 +69,10 @@
+ #
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
++dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
+
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -79,7 +81,7 @@
+@@ -79,7 +82,7 @@
allow xend_t self:packet_socket create_socket_perms;
allow xend_t xen_image_t:dir r_dir_perms;
@@ -3148,7 +3150,7 @@
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
-@@ -130,6 +132,8 @@
+@@ -130,6 +133,8 @@
corenet_tcp_bind_soundd_port(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
@@ -3157,7 +3159,14 @@
dev_read_urand(xend_t)
dev_manage_xen(xend_t)
-@@ -144,13 +148,17 @@
+@@ -138,19 +143,24 @@
+
+ domain_read_all_domains_state(xend_t)
+ domain_dontaudit_read_all_domains_state(xend_t)
++domain_dontaudit_ptrace_all_domains(xend_t)
+
+ files_read_etc_files(xend_t)
+ files_read_kernel_symbol_table(xend_t)
files_read_kernel_img(xend_t)
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@@ -3177,7 +3186,7 @@
libs_use_ld_so(xend_t)
libs_use_shared_libs(xend_t)
-@@ -171,7 +179,7 @@
+@@ -171,7 +181,7 @@
netutils_domtrans(xend_t)
optional_policy(`
@@ -3186,7 +3195,14 @@
')
########################################
-@@ -196,10 +204,11 @@
+@@ -191,15 +201,18 @@
+ allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
+
++domain_dontaudit_ptrace_all_domains(xenconsoled_t)
++
+ kernel_read_kernel_sysctls(xenconsoled_t)
+ kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)
term_create_pty(xenconsoled_t,xen_devpts_t);
@@ -3199,7 +3215,7 @@
libs_use_ld_so(xenconsoled_t)
libs_use_shared_libs(xenconsoled_t)
-@@ -238,10 +247,11 @@
+@@ -238,10 +251,11 @@
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.243
retrieving revision 1.244
diff -u -r1.243 -r1.244
--- selinux-policy.spec 3 Aug 2006 14:47:22 -0000 1.243
+++ selinux-policy.spec 3 Aug 2006 16:50:26 -0000 1.244
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.3
-Release: 19
+Release: 20
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -348,6 +348,9 @@
%endif
%changelog
+* Thu Aug 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-20
+- More fixes for xen
+
* Thu Aug 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-19
- Fix anaconda transitions
- Previous message (by thread): rpms/gdm/FC-5 gdm-2.14.10-update-switchdesk-location.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 gdm.spec, 1.152, 1.153 sources, 1.30, 1.31 gdm-2.13.0.4-update-switchdesk-location.patch, 1.1, NONE
- Next message (by thread): rpms/epiphany/FC-5 epiphany.spec,1.100,1.101
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list